Packet Tools
Packet tools help analysts capture, inspect, and manipulate network traffic. These tools support protocol analysis, network forensics, troubleshooting, and security research by revealing exactly what happens on the wire.
Wireshark
Wireshark is the most widely used graphical packet analyzer. It captures, decodes, and visualizes network traffic across hundreds of protocols. It supports filtering, coloring rules, and deep inspection.
Why it’s useful: Essential for learning how protocols behave on the wire and for investigating suspicious network activity.
Difficulty: Intermediate
tcpdump
tcpdump is a command-line packet capture tool available on most Unix-like systems. It supports powerful BPF filters and is ideal for capturing traffic on servers or headless systems.
Why it’s useful: Teaches low-level packet capture and filtering — critical skills for network forensics and troubleshooting.
Difficulty: Intermediate
Tshark
Tshark is the command-line version of Wireshark. It provides the same protocol decoding capabilities but is optimized for automation, scripting, and remote analysis.
Why it’s useful: Great for automated packet analysis, scripting workflows, and working on remote servers without a GUI.
Difficulty: Advanced
Zeek (formerly Bro)
Zeek is a powerful network security monitoring framework that transforms raw traffic into structured logs. It focuses on behavioral analysis rather than signatures.
Why it’s useful: Shows how high-level network logs are generated from raw packets — foundational for threat hunting and NSM.
Difficulty: Advanced
Scapy
Scapy is a Python-based packet crafting and manipulation tool. It allows creating, sending, sniffing, and decoding packets across many protocols.
Why it’s useful: Perfect for learning how packets are constructed and how attackers craft custom traffic for testing or exploitation.
Difficulty: Advanced